How would Sun Tzu defend computer systems? Poorly. A new era needs new thinking.

Summary: The theft of the Federal government’s personnel data has brought information security back to the front pages. Along with the usual cries of “off with their heads” for the guilty and promises of Total Information Security in the future, as the signal to noise ratio in the media drops towards zero. To help restore our sense of proportion, here’s an article from the past by two well-known experts discussing the difficulty of e-defense in the 21st century.

“As we shall show, defense is a stronger form of fighting than attack. … I am convinced that the superiority of the defensive (if rightly understood) is very great, far greater than appears at first sight.”
— Clausewitz, On War, Book 1, Chapter 1

Posted with the authors’ permission.

Lately, you can’t swing a dead cat without hitting someone in InfoSecurity who is writing a blog post, participating in a panel or otherwise yammering on about what we can learn from Sun Tzu about Information Security. Sun Tzu lends the topic some gravitas and the speaker instantly benefits from the halo effect of Ancient Chinese Wisdom, but does Sun Tzu really have anything interesting to say about Information Security?

In The Art of War, Sun Tzu’s writing addressed a variety of military tactics, very few of which can truly be extrapolated into modern InfoSec practices. The parts that do apply aren’t terribly groundbreaking and may actually conflict with other tenets when artificially applied to InfoSec. Rather than accept that Tzu’s work is not relevant to modern day Infosec, people tend to force analogies and stretch comparisons to his work. These big leaps are professionals whoring themselves just to get in what seems like a cool reference and wise quote.

“The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.” { The Art of War}

This seems to make sense on its face. If you focus on making your systems and networks invulnerable to attack, then you don’t need to worry about attackers. So, on any modern network where people actually need to get work done, can you make systems invulnerable to attack? If not, does this particular advice tell us anything useful? Maybe Sun Tzu was trying to say that we need to spend more and more money on IPS/SIEM/firewalls/antivirus, even if we don’t see a particular need to upgrade or improve those areas.

Information security is not warfare (leaving aside actual warfare, of course). The bulk of security practitioners are working to protect private and public networks and do not strike back against any enemy.

Even penetration testers conduct their ‘battles’ within a limited scope, under supervision and governed by laws. A pen test is absolutely NOT knowing your enemy. Turning your own people, or agents you employ, against your own networks to test their security tells you nothing about your attacker. It is an exercise in better knowing your own strengths and weaknesses. It’s also not “thinking like your enemy.” If you can’t identify who your enemy is, you can’t think like him. All you can do is apply your own offensive techniques against your own position.

The only application of Sun Tzu’s work today might be relevant for the bad guy attacking a specific target.

Sun Tzu makes many statements about victory in war, none of which apply to InfoSec, since the war cannot be won. We don’t have one enemy, we have an inexhaustible supply of a wide variety of enemies, and most don’t even care who we are. Do you know your enemy? If you answer ‘yes’ to that question, you already lost the battle and the war. If you know some of your enemies, you are well on your way to understanding why Tzu’s teachings haven’t been relevant to InfoSec for over two decades.

Do you want to know your enemy? Fine, here you go. your enemy may be any or all of the following:

12 year/old student in Ohio learning computers in middle school.

13 y/o home-schooled girl getting bored with social networks.

15 y/o kid in Brazil that joined a defacement group.

16 y/o student in Tokyo, learning programming in high school.

18 y/o high school drop out in the Ukraine.

19 y/o college student putting class work into practice.

20 y/o Taco Bell employee bored with the daily grind.

21 y/o man in Mali working for an international carding ring.

23 y/o mother in Poland, trying to supplement income.

24 y/o black hat intent on compromising any company encountered.

25 y/o soldier in the North Korean army.

26 y/o military contractor in Iraq.

28 y/o Chinese government employee, soon to be mother.

29 y/o vegan in Oregon who firmly believes in political hacktivism.

30 y/o white hat pen tester who has not let go of her black hat origins.

31 y/o security researcher who finds vulnerabilities on live sites.

32 y/o alchoholic in New Zealand, with nothing to lose.

34 y/o employee who sees a target of opportunity.

35 y/o officer in MI6.

36 y/o “consulate attache” that may be FSB.

40 y/o disgruntled admin, passed over for raise 5 years in a row.

42 y/o private investigator looking for dirt on your CEO.

43 y/o malware author, paid per compromised host.

45 y/o member of a terrorist group.

55 y/o corporate intelligence consultant.

What’s more, these enemies have our networks under siege, which Sun Tzu says is no way to win a war.

The rule is, not to besiege walled cities if it can possibly be avoided. The preparation of mantlets, movable shelters, and various implements of war, will take up three whole months; and the piling up of mounds over against the walls will take three months more. {The Art of War}

Um, yeah. Sun Tzu’s not helping us here. How about that popular one about knowing your enemy?

Know your enemy and know yourself; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and of yourself, you are sure to be defeated in every battle.

But of course, there is no winning. You can take the time to try to know all the different kinds of attackers hitting your networks, but you can never claim victory. If we board up our windows against a hurricane, we don’t “win” if our homes and windows survive the storm.

It would make more sense for InfoSec practitioners to learn from hurricane or flood preparedness than Sun Tzu. For most of us, attacks on our networks are more like the constant and varied attacks from weather, and rather than try to wrap ourselves up in the glorious wisdom of Chinese philosophy and the excitement of some amorphous global “cyberwar”, we should probably focus on the mundane, boring details of maintaining and monitoring our networks. …

Permission is granted to quote, reprint or redistribute provided the text is not altered, appropriate credit is given and a link to the original copy is included. Custom graphics courtesy of Cupcake and Lyger.

About the authors

Martin has been poking about the hacker/security scene for over 19 years. No degree, no certifications, just the willingness to say things many in this dismal industry are thinking but unwilling to say themselves. He founded attrition, and is a senior officer at the Open Security Foundation.

Steve Tornio

Steve has been active within the security community for the past 17 years, most prominently as a moderator for the Open Source Vulnerability Database (osvdb.org) and as a contributor to the Metasploit Framework. With Sunera, Steve has led war dial, wireless, network and web application vulnerability and penetration assessments with the specific goal of identifying and exploiting vulnerabilities. Prior to Sunera, Steve worked in the banking/finance sector as a network and security engineer, managing a team composed of network, systems and communications engineers providing 24×7 monitoring and response, technical support and documentation for a multinational capital management firm. Steve is a Certified Information Systems Security Professional (CISSP) and an Offensive Security Certified Professional (OSCP).

Like this:

Post navigation

Easy and I have done it. Take one smple approach. First select the data you MUST hide, that will be a small percentage of the total data (1%?). Don’t waste too much time hiding and protecting the rest of it.

Obviously restrict access…but, being more clever (duh) as that will always fail, de-identfy the data, That means for those, like analysts, they have no need to know details, you can just swap (eg) names for random codes. Only a very small number (say 10 at most) can link the (eg) names to the codes. These ‘code maps’ are really guarded with blood…. Anyone who has access who leaves, then it is always randomly re done again.

You physically seperate the computer systems, (eg) the ‘code maps’ are on a seperate system that is lnked to nothing. It means a physical movement of something to do it. Best are ‘read only’ transfer mediums, so nothing can be read from the ‘code map’ system. Add in encrypton, etc and you have a secure system.

The reverse of the ‘capture everything, understand nothing’ approach. Easy to do, just a bit of thought and discipline. Call it ‘protect the core’,, forget the trash. Rinse and repeat and expand….

“These ‘code maps’ are really guarded with blood…. Anyone who has access who leaves, then it is always randomly re done again.”

This relies on encryption, and it wouldn’t work, because when you guard information it isn’t like guarding a door or putting a lock on the door.

The stuff being “guarded” can be copied, possibly without its intended owner ever knowing, without the person who obtained a copy being able to read it. A second event could happen much later that allows someone with the copy (or a copy of the copy etc) to read what they have.

-but-

What you said about carefully picking out and limiting how much data is going to be heavily protected is huge. If you try to protect everything, then you end up with a system that’s being accessed all the time by everyone from everywhere. Such a system is less likely to be secure.

This thread seems to consists of people informed mostly by watching TV and movies. As usual. People don’t even bother to cite or quote somebody who actually knows something about these matters.

As said so often in the posts here about cybersecurity, the vast majority of system “penetrations” result from a combination of deliberate acts by insiders (e.g., Snowden), outsiders exploiting accidental/careless acts by insiders (e.g., probable source of Climategate emails), or “social engineering” (outsiders getting information facilitating access from insiders, as in the OPM theft).

“Hacking” critical protected systems is a small fraction of total incidents. It is a lot of work, especially for amateurs (again unlike Hollywood-world, where the amateurs are usually better than the pros – doubly so if they are teenagers).

I like what Lisa has suggested. Having said so, I would like to say that I think computerized data of any type is the “New Maginot Line”. While data is ubiquitous and includes everything from spam to protected files, the whole system runs in a channel that is fairly well defined and therefore vulnerable to breaches. If you don’t believe what I am saying, try logging on or hacking a system during the next power outage.